1 Reply Latest reply on Aug 23, 2019 11:26 AM by cweiler

    Keycloak8/Wildfly17 behind nginx reverse-proxy: standalone.xml config questions?


      I'm setting up a 1st keycloak v8/head instance.

      It bundles WildFly 17 et al

          egrep -i "<wildfly\.[a-z].*\.version>" kerycloak/pom.xml

              JBoss Admin Command-line Interface
              JBOSS_HOME: /opt/keycloak
              Release: 9.0.2.Final
              Product: Keycloak 8.0.0-SNAPSHOT
              JAVA_HOME: /etc/alternatives/java_sdk_openjdk
              java.version: 12.0.2
              java.vm.vendor: Oracle Corporation
              java.vm.version: 12.0.2+9-suse-lp151.40.1-x8664
              os.name: Linux
              os.version: 5.2.9-25.g71d4424-default

      It's up & running.

      Both the admin & mgmt UIs are *directly* accessible &functional via http://, given




      So far, so good.

      I'm now trying to get it operating behind an SSL terminating Nginx reverse-proxy.

      I haven't found a good just-reverse-proxy example/doc yet
      Closest so far, reading at

      > Using Wildly as a static load balancer

      which is for a load-balanced config, using ajp.

      Atm, i'm interested in a non-load-balanced config, and am unclear how to properly modify that config.

      My GOAL is to have the front-end, terminator respond, for keycloak, at

      > https://my.example.com:10001/keycloak

      Based on the referenced config above, I've got, atm,

          /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-host1/:add(host=my.example.com, port=10001)
          /subsystem=undertow/configuration=handler/reverse-proxy=my-handler/host=host1:add(outbound-socket-binding=remote-host1, scheme=ajp, instance-id=myroute, path=/keycloak)

      but I'm not getting past the 1st page of the keycloak app, to its login page -- when accessing via the terminator. yet.  So, some changes req'd.

      With NO loadbalancing, what "scheme=" attribute is used?  ajp isn't still appropriate, is it?

      Also, are the

          ... path=/keycloak ...
          ... location=\/keycloak ...

      path specs correct here?

        • 1. Re: Keycloak8/Wildfly17 behind nginx reverse-proxy: standalone.xml config questions?



          I will share my apache config, maybe you can convert it to nginx...


          We've made no changes on wildfly setup besides enabling ajp, but you can use http without problems:

            ServerName sso.domain.com
            ProxyPreserveHost On
            RequestHeader set X-Forwarded-Proto "https"
            RequestHeader set X-Forwarded-Port "443"
            ProxyPass / ajp://localhost:9009/
            ProxyPassReverse / ajp://localhost:9009/


          We don't use management interface on keycloak, only on applications running on wildfly, and we have a dedicated vhost config:

          ServerName app-mgmt.domain.com
          RequestHeader set X-Forwarded-Proto "https"
          RequestHeader set X-Forwarded-Port "443"
          RequestHeader unset Origin
          ProxyPreserveHost On
          ProxyPassReverseCookieDomain localhost app-mgmt.domain.com
          ProxyPass / http://localhost:9990/
          ProxyPassReverse / http://localhost:9990/


          In docker we setup this also (copied from keycloak docker official image):

          /subsystem=undertow/server=default-server/http-listener=default: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})
          /subsystem=undertow/server=default-server/https-listener=https: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})


          And, we are facing problems reported here: Authentication required on Management Console


          ajp isn't still appropriate, is it?

          We have same question.